diff options
-rw-r--r-- | usr.bin/nc/nc.1 | 52 | ||||
-rw-r--r-- | usr.bin/nc/netcat.c | 27 |
2 files changed, 48 insertions, 31 deletions
diff --git a/usr.bin/nc/nc.1 b/usr.bin/nc/nc.1 index 8cb96e8734f..461e9e41be9 100644 --- a/usr.bin/nc/nc.1 +++ b/usr.bin/nc/nc.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: nc.1,v 1.69 2015/09/11 21:07:01 beck Exp $ +.\" $OpenBSD: nc.1,v 1.70 2015/09/12 07:56:56 jmc Exp $ .\" .\" Copyright (c) 1996 David Sacerdote .\" All rights reserved. @@ -25,7 +25,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: September 11 2015 $ +.Dd $Mdocdate: September 12 2015 $ .Dt NC 1 .Os .Sh NAME @@ -34,12 +34,17 @@ .Sh SYNOPSIS .Nm nc .Bk -words -.Op Fl 46DdFhklNnrStUuvz +.Op Fl 46cDdFhklNnrStUuvz +.Op Fl C Ar certfile +.Op Fl e Ar name +.Op Fl H Ar hash .Op Fl I Ar length .Op Fl i Ar interval +.Op Fl K Ar keyfile .Op Fl O Ar length .Op Fl P Ar proxy_username .Op Fl p Ar source_port +.Op Fl R Ar CAfile .Op Fl s Ar source .Op Fl T Ar keyword .Op Fl V Ar rtable @@ -98,17 +103,19 @@ to use IPv4 addresses only. Forces .Nm to use IPv6 addresses only. -.It Fl C Ar certificate_filename +.It Fl C Ar certfile Specifies the filename from which the public key part of the TLS -certificate is loaded, in PEM format. May only be used with TLS. +certificate is loaded, in PEM format. +May only be used with TLS. .It Fl c -If using a TCP socket to connect or listen, use TLS. Illegal if not using TCP sockets. +If using a TCP socket to connect or listen, use TLS. +Illegal if not using TCP sockets. .It Fl D Enable debugging on the socket. .It Fl d Do not attempt to read from stdin. .It Fl e Ar name -specify the name that must be present in the peer certificate when using TLS. +Specify the name that must be present in the peer certificate when using TLS. Illegal if not using TLS. .It Fl F Pass the first connected socket using @@ -125,7 +132,7 @@ using the .Xr ssh_config 5 .Cm ProxyUseFdpass option). -.It Fl H Ar hash_string +.It Fl H Ar hash Specifies the required hash string of the peer certificate when using TLS. The string format required is that used by .Xr tls_peer_cert_hash 3 . @@ -139,9 +146,10 @@ Specifies the size of the TCP receive buffer. .It Fl i Ar interval Specifies a delay time interval between lines of text sent and received. Also causes a delay time between connections to multiple ports. -.It Fl K Ar key_filename +.It Fl K Ar keyfile Specifies the filename from which the private key -is loaded in PEM format. May only be used with TLS. +is loaded in PEM format. +May only be used with TLS. .It Fl k Forces .Nm @@ -188,10 +196,11 @@ should use, subject to privilege restrictions and availability. It is an error to use this option in conjunction with the .Fl l option. -.It Fl R Ar CA_filename -Specifies the filename from which the root CA bundle for Certificate -verification is loaded in pem format. Illegal if not using TLS. -Default value is +.It Fl R Ar CAfile +Specifies the filename from which the root CA bundle for certificate +verification is loaded, in PEM format. +Illegal if not using TLS. +The default is .Pa /etc/ssl/cert.pem . .It Fl r Specifies that source and/or destination ports should be chosen randomly @@ -214,14 +223,15 @@ For TLS options .Ar keyword may be one of .Ar tlslegacy , -which allows legacy TLS protocols, +which allows legacy TLS protocols; .Ar noverify , -which disables certificate verification +which disables certificate verification; .Ar noname , -which disables certificate name checking, or -.Ar clientcert, -which requires a client certificate on incoming connections . +which disables certificate name checking; or +.Ar clientcert , +which requires a client certificate on incoming connections. It is illegal to specify TLS options if not using TLS. +.Pp For IPv4 TOS value .Ar keyword may be one of @@ -463,8 +473,8 @@ the source port, with a timeout of 5 seconds: .Pp .Dl $ nc -p 31337 -w 5 host.example.com 42 .Pp -Open a TCP connection to port 443 of www.google.ca, and negotiate -TLS. Check for a different name in the certificate for validation. +Open a TCP connection to port 443 of www.google.ca, and negotiate TLS. +Check for a different name in the certificate for validation. .Pp .Dl $ nc -v -c -e adsf.au.doubleclick.net www.google.ca 443 .Pp diff --git a/usr.bin/nc/netcat.c b/usr.bin/nc/netcat.c index bbd8de05226..acb97870a0c 100644 --- a/usr.bin/nc/netcat.c +++ b/usr.bin/nc/netcat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: netcat.c,v 1.134 2015/09/11 21:22:54 deraadt Exp $ */ +/* $OpenBSD: netcat.c,v 1.135 2015/09/12 07:56:56 jmc Exp $ */ /* * Copyright (c) 2001 Eric Jackson <ericj@monkey.org> * Copyright (c) 2015 Bob Beck. All rights reserved. @@ -1499,12 +1499,17 @@ help(void) fprintf(stderr, "\tCommand Summary:\n\ \t-4 Use IPv4\n\ \t-6 Use IPv6\n\ + \t-C certfile Public key file\n\ + \t-c Use TLS\n\ \t-D Enable the debug socket option\n\ \t-d Detach from stdin\n\ + \t-e name\t Required name in peer certificate\n\ \t-F Pass socket fd\n\ + \t-H hash\t Hash string of peer certificate\n\ \t-h This help text\n\ \t-I length TCP receive buffer length\n\ - \t-i secs\t Delay interval for lines sent, ports scanned\n\ + \t-i interval Delay interval for lines sent, ports scanned\n\ + \t-K keyfile Private key file\n\ \t-k Keep inbound sockets open for multiple connects\n\ \t-l Listen mode, for inbound connects\n\ \t-N Shutdown the network socket after EOF on stdin\n\ @@ -1512,16 +1517,17 @@ help(void) \t-O length TCP send buffer length\n\ \t-P proxyuser\tUsername for proxy authentication\n\ \t-p port\t Specify local port for remote connects\n\ + \t-R CAfile CA bundle\n\ \t-r Randomize remote ports\n\ \t-S Enable the TCP MD5 signature option\n\ - \t-s addr\t Local source address\n\ - \t-T toskeyword\tSet IP Type of Service\n\ + \t-s source Local source address\n\ + \t-T keyword TOS value or TLS options\n\ \t-t Answer TELNET negotiation\n\ \t-U Use UNIX domain socket\n\ \t-u UDP mode\n\ \t-V rtable Specify alternate routing table\n\ \t-v Verbose\n\ - \t-w secs\t Timeout for connects and final net reads\n\ + \t-w timeout Timeout for connects and final net reads\n\ \t-X proto Proxy protocol: \"4\", \"5\" (SOCKS) or \"connect\"\n\ \t-x addr[:port]\tSpecify proxy address and port\n\ \t-z Zero-I/O mode [used for scanning]\n\ @@ -1533,11 +1539,12 @@ void usage(int ret) { fprintf(stderr, - "usage: nc [-46cDdFhklNnrStUuvz] [-C certfile] [-e name] \n" - "\t [-I length] [-i interval] [-H hash] [-K keyfile] [-O length]\n" - "\t [-P proxy_username] [-p source_port] [-R cafile] [-s source]\n" - "\t [-T tls|toskeyword] [-V rtable] [-w timeout]\n" - "\t [-X proxy_protocol] [-x proxy_address[:port]]\n" + "usage: nc [-46cDdFhklNnrStUuvz] [-C certfile] [-e name] " + "[-H hash] [-I length]\n" + "\t [-i interval] [-K keyfile] [-O length] [-P proxy_username]\n" + "\t [-p source_port] [-R CAfile] [-s source] " + "[-T keyword] [-V rtable]\n" + "\t [-w timeout] [-X proxy_protocol] [-x proxy_address[:port]]\n" "\t [destination] [port]\n"); if (ret) exit(1); |